CVE-2024-44941 – f2fs: fix to cover read extent cache access with lock
https://notcve.org/view.php?id=CVE-2024-44941
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to cover read extent cache access with lock syzbot reports a f2fs bug as below: BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097 CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 do_read_inode fs/f2fs/inode.c:509 [inline] f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584 do_handle_to_path fs/fhandle.c:155 [inline] handle_to_path fs/fhandle.c:210 [inline] do_handle_open+0x495/0x650 fs/fhandle.c:226 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f We missed to cover sanity_check_extent_cache() w/ extent cache lock, so, below race case may happen, result in use after free issue. - f2fs_iget - do_read_inode - f2fs_init_read_extent_tree : add largest extent entry in to cache - shrink - f2fs_shrink_read_extent_tree - __shrink_extent_tree - __detach_extent_node : drop largest extent entry - sanity_check_extent_cache : access et->largest w/o lock let's refactor sanity_check_extent_cache() to avoid extent cache access and call it before f2fs_init_read_extent_tree() to fix this issue. • https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8 https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab •
CVE-2024-44940 – fou: remove warn in gue_gro_receive on unsupported protocol
https://notcve.org/view.php?id=CVE-2024-44940
In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 ("fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks"). • https://git.kernel.org/stable/c/5a2e37bc648a2503bf6d687aed27b9f4455d82eb https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59 https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79 https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c •
CVE-2024-44939 – jfs: fix null ptr deref in dtInsertEntry
https://notcve.org/view.php?id=CVE-2024-44939
In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL. • https://git.kernel.org/stable/c/53023ab11836ac56fd75f7a71ec1356e50920fa9 https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6 https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702 https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c •
CVE-2024-44938 – jfs: Fix shift-out-of-bounds in dbDiscardAG
https://notcve.org/view.php?id=CVE-2024-44938
In the Linux kernel, the following vulnerability has been resolved: jfs: Fix shift-out-of-bounds in dbDiscardAG When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative. This patch fixes the issue by exiting the loop directly when negative shift is found. • https://git.kernel.org/stable/c/bd04a149e3a29e7f71b7956ed41dba34e42d539e https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3 https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630 https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2 •
CVE-2024-44937 – platform/x86: intel-vbtn: Protect ACPI notify handler against recursion
https://notcve.org/view.php?id=CVE-2024-44937
In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel-vbtn: Protect ACPI notify handler against recursion Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") ACPI notify handlers like the intel-vbtn notify_handler() may run on multiple CPU cores racing with themselves. This race gets hit on Dell Venue 7140 tablets when undocking from the keyboard, causing the handler to try and register priv->switches_dev twice, as can be seen from the dev_info() message getting logged twice: [ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event [ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17 [ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event After which things go seriously wrong: [ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17' ... [ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory. [ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018 ... Protect intel-vbtn notify_handler() from racing with itself with a mutex to fix this. • https://git.kernel.org/stable/c/e2ffcda1629012a2c1a3706432bc45fdc899a584 https://git.kernel.org/stable/c/5c9618a3b6ea94cf7bdff7702aca8bf2d777d97b https://git.kernel.org/stable/c/e075c3b13a0a142dcd3151b25d29a24f31b7b640 •